some windows environments do not allow anonymous connections to LSARPC pipe.
In 3.0.33 net rpc getsid used to allow a user name and password to be entered, but this does not appear to be the case for 3.3.9

This bug can be reproduced by doing the following on a Windows 2003 domain controller
GP, default domain policy,
computer configuration, windows settings, security settings, local policies, security options.
look for
Network access: Named Pipes that can be accessed anonymously
open it up, check
define this policy settings in the template
remove lsarpc and sam
apply.
run gpupdate.
Then net rpc getsid will return "Could not initialise lsa pipe"

I am not sure what the selftest.sh part of the patch is about, but I have been testing the net_rpc_getsid portion against a Windows 2003 with hardened security as explained in comment #1 and it works well in my 3.3.9 environment.